jspdf 1.3.5 vulnerabilities

Known vulnerabilities in the jspdf package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` or `html` methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 3.0.2 or higher.	<3.0.2
H Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `addImage()`, `html()`, and `addSvgAsImage()` methods. An attacker can occupy excessive CPU by supplying a malicious data-url. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 3.0.1 or higher.	<3.0.1
M Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 2.3.1 or higher.	<2.3.1
M Cross-site Scripting (XSS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It's possible to use `<<script>script>` in order to go over the filtering regex. PoC import jsPDF from "jspdf"; var doc = new jsPDF(); let html = ` <p id='test'>a</p> <<script>script>document.write(window.location);</</script>script> `; doc.fromHTML( html, 0, 0, { width: 100 // max width of content on PDF }, function(_) { doc.save(); } ); How to fix Cross-site Scripting (XSS)? Upgrade `jspdf` to version 2.0.0 or higher.	<2.0.0
M Cross-site Scripting (XSS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It's possible to inject JavaScript code via the `html` method. PoC var doc = new jsPDF(); window.html2canvas = html2canvas; let html = ` <p id='test'>a</p> <img src=x onerror=eval("document.getElementById('test').innerHTML=window.location") /> `; doc.html(html, { callback: function (doc) { doc.save(); } }); How to fix Cross-site Scripting (XSS)? Upgrade `jspdf` to version 2.0.0 or higher.	<2.0.0

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage or html methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 3.0.2 or higher.

<3.0.2

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the addImage(), html(), and addSvgAsImage() methods. An attacker can occupy excessive CPU by supplying a malicious data-url.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 3.0.1 or higher.

<3.0.1

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 2.3.1 or higher.

<2.3.1

Cross-site Scripting (XSS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It's possible to use <<script>script> in order to go over the filtering regex.

PoC

import jsPDF from "jspdf";

var doc = new jsPDF();

let html = `
<p id='test'>a</p>
<<script>script>document.write(window.location);</</script>script>
`;
doc.fromHTML(
  html,
  0,
  0,
  {
    width: 100 // max width of content on PDF
  },
  function(_) {
    doc.save();
  }
);

How to fix Cross-site Scripting (XSS)?

Upgrade jspdf to version 2.0.0 or higher.

<2.0.0

Cross-site Scripting (XSS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It's possible to inject JavaScript code via the html method.

PoC

var doc = new jsPDF();
window.html2canvas = html2canvas;
let html = `
<p id='test'>a</p>
<img src=x onerror=eval("document.getElementById('test').innerHTML=window.location") />
`;
doc.html(html, {
  callback: function (doc) {
    doc.save();
  }
});

How to fix Cross-site Scripting (XSS)?

Upgrade jspdf to version 2.0.0 or higher.

<2.0.0

jspdf@1.3.5 vulnerabilities

PDF Document creation from JavaScript

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

PoC

PoC